package com.isoftstone.util;

import java.lang.reflect.Method;
import java.text.Normalizer;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

public class XSSCheckUtil {


    public static boolean checkXSS(String value) {
        String cleanValue = null;
        if (value != null) {
            cleanValue = Normalizer.normalize(value, Normalizer.Form.NFD);

            // Avoid null characters
            cleanValue = cleanValue.replaceAll("\0", "");

            // Avoid anything between script tags
            Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
            Matcher matcher = scriptPattern.matcher(cleanValue);

             if(matcher.find()){
                 return true;
             }

            // Avoid anything in a src='...' type of expression
            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            matcher =  scriptPattern.matcher(cleanValue);

            if(matcher.find()){
                return true;
            }

            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            matcher = scriptPattern.matcher(cleanValue);

            if(matcher.find()){
                return true;
            }

            // Remove any lonesome </script> tag
            scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
            matcher = scriptPattern.matcher(cleanValue);

            if(matcher.find()){
                return true;
            }
            // Remove any lonesome <script ...> tag
            scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            matcher = scriptPattern.matcher(cleanValue);

            if(matcher.find()){
                return true;
            }
            // Avoid eval(...) expressions
            scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            matcher = scriptPattern.matcher(cleanValue);

            if(matcher.find()){
                return true;
            }
            // Avoid expression(...) expressions
            scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            matcher = scriptPattern.matcher(cleanValue);

            if(matcher.find()){
                return true;
            }
            // Avoid javascript:... expressions
            scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
            matcher = scriptPattern.matcher(cleanValue);

            if(matcher.find()){
                return true;
            }
            // Avoid vbscript:... expressions
            scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
            matcher = scriptPattern.matcher(cleanValue);

            if(matcher.find()){
                return true;
            }
            // Avoid onload= expressions
            scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            matcher = scriptPattern.matcher(cleanValue);

            if(matcher.find()){
                return true;
            }
        }

        return false;
    }

    /**
     * add by xwj 对BEAN类所有GET方法检测
     */
    public static boolean checkXSS(Object obj){
        Method[] methods = obj.getClass().getMethods();
        for (int i = 0; i < methods.length; i++) {
            Method m = methods[i];
            if(m.getName().startsWith("get")){
                System.out.println(m.getName());
                try{
                    Object res = m.invoke(obj);
                    if(res != null){
                        if(checkXSS(String.valueOf(res))){
                            return true;
                        }
                    }
                }catch(Exception e){
                    e.printStackTrace();
                }
            }
        }
        return false;
    }

    public static void main(String[] args) {
//        PAd p = new PAd();
//        p.setAdDesc("<script>a</scriptsssssssssss");
//        System.out.println(checkXSS(p));
//        String cleanValue = "javascript:";
//
//        String t2 = "<script>a</scriptsssssssssss";
//
//
//        cleanValue = cleanValue.replaceAll("\0", "");
//
//        // Avoid anything between script tags
//        Pattern scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
//        Matcher matcher = scriptPattern.matcher(cleanValue);
//
//        System.out.println(matcher.find());
//
//        matcher = scriptPattern.matcher(t2);
//
//        System.out.println(matcher.find());



        //

    }
}
